- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to extract events from simple Scripted Input s...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I'm trying to understand Scripted Inputs concept so I have created simple Scripted Input with Python script:
import sys
sys.stdout.write('test1,test2,test3\n')
I want to add these events in the main index.
My Scripted Input lies in search app, I have added pops.conf (all configs are in the local folder of the search app):
[test]
TIME_PREFIX=^[^\|]+\|
TIME_FORMAT=%Q
SHOULD_LINEMERGE=false
Inputs.conf:
[script://$SPLUNK_HOME\bin\scripts\test.py]
disabled = 0
index = main
interval = 15
sourcetype = test
Howerer I don't see any events in my main index, also nothing in logs either. I have splunk enterprise under a local account on Windows.
Where is my mistake?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are there any errors in splunkd.log?
You probably need a wrapper script (.cmd) to execute the python code, because the ".py" extension may not be registered to execute python directly.
The recommended way to execute a python script from Splunk is:
$SPLUNK_HOME/bin/splunk cmd python <your_script>.py
http://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/ScriptWriting
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are there any errors in splunkd.log?
You probably need a wrapper script (.cmd) to execute the python code, because the ".py" extension may not be registered to execute python directly.
The recommended way to execute a python script from Splunk is:
$SPLUNK_HOME/bin/splunk cmd python <your_script>.py
http://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/ScriptWriting
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In splunkd.log I can see:
06-06-2015 15:41:37.321 -0400 INFO ExecProcessor - New scheduled exec process: python /opt/splunk/bin/scripts/test.py
The script is working, I have checked it (it created log file etc) however no events
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It seems I have solved the problem. My output was in wrong format. This format works:
print "%s eventID=%s" % ("[" + strftime("%m/%d/%Y %H:%M:%S %p %Z",localtime()) + "]", int(time.time()))
But I have another question, how to make splunk read my custom formated event?
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
